Identity Server as an XACML Engine

XACML support for fine-grained authorization comes with WSO2 Identity Server. It includes full support for policies based on XACML 2.0 and 3.0. For more information on XACML and the concept of XACML engine, see XACML Architecture.

1. Sign in. Enter your user name and password to log on to the Management Console.

2. Navigate to the Main menu to access the Entitlement menu. Click Policy Administration under PAP. For more information on policy administration, see Configuring the Policy Administration Point.
   
   

   Open

   

3. Add a new policy or import external policy files to the system. Once you click Add, a  policy will be added. You can edit a template policy it to suit your requirements, or you may add a completely new policy.
   
   
   

4. Evaluate the template policy with no changes. Click on the Try it , in Tools to evaluate using Try It tool of XACML.

Here you can build your own XACML request to evaluate the policy you just added. Copy and paste the following on the above screen and click Evaluate.

The above request means that the "admin" user who belongs to the group "admin" is trying to access the echoString operation of the http://localhost:8280/services/echo service.

The template policy evaluates the above in the following manner:

Find the following section of the template policy:

In this policy, we use function:string-regexp-match to validate the service name and operation name combination. You can modify it to suit your own requirements.

For example, if you want to allow users to access all of the services deployed on a certain server, then simply change it to http://localhost:8280/. Or, if you want a user to access only a certain set of operations, you can simply change regex to http://localhost:8280/services/echo/(echoString|echoInt).

The following code is used to evaluate the user name and the user's group:

Here we validate the "admin" user and any user in the "admin" group.